Right to be informed

Information Commissioner’s Office, “Guide to the GDPR”, retrieved on 17th May 2018, licensed under the Open Government Licence.

At a glance

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.

You must provide privacy information to individuals at the time you collect their personal data from them.

If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.

User testing is a good way to get feedback on how effective the delivery of your privacy information is.

You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.

Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.

Checklists

What to provide

We provide individuals with all the following privacy information:

The name and contact details of our organisation.

The name and contact details of our representative (if applicable).

The contact details of our data protection officer (if applicable).

The purposes of the processing.

The lawful basis for the processing.

The legitimate interests for the processing (if applicable).

The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).

The recipients or categories of recipients of the personal data.

The details of transfers of the personal data to any third countries or international organisations (if applicable).

The retention periods for the personal data.

The rights available to individuals in respect of the processing.

The right to withdraw consent (if applicable).

The right to lodge a complaint with a supervisory authority.

The source of the personal data (if the personal data is not obtained from the individual it relates to).

The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).

The details of the existence of automated decision-making, including profiling (if applicable).

When to provide it

We provide individuals with privacy information at the time we collect their personal data from them.

If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:

within a reasonable of period of obtaining the personal data and no later than one month;

if we plan to communicate with the individual, at the latest, when the first communication takes place; or

if we plan to disclose the data to someone else, at the latest, when the data is disclosed.

The right to be informed covers some of the key transparency requirements of the GDPR. It is about providing people with clear and concise information about what you do with their personal data.

Articles 13 and 14 of the GDPR specify what individuals have the right to be informed about. We call this ‘privacy information’.

Using an effective approach to provide people with privacy information can help you to comply with other aspects of the GDPR, foster trust with individuals and obtain more useful information from them.

Getting this wrong can leave you open to fines and lead to reputational damage.

The table below summarises the information that you must provide. What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to or obtain it from another source.

What information do we need to provide?

Personal data collected from individuals

Personal data obtained from other sources

The name and contact details of your organisation

✓

✓

The name and contact details of your representative

✓

✓

The contact details of your data protection officer

✓

✓

The purposes of the processing

✓

✓

The lawful basis for the processing

✓

✓

The legitimate interests for the processing

✓

✓

The categories of personal data obtained

✓

The recipients or categories of recipients of the personal data

✓

✓

The details of transfers of the personal data to any third countries or international organisations

✓

✓

The retention periods for the personal data

✓

✓

The rights available to individuals in respect of the processing

✓

✓

The right to withdraw consent

✓

✓

The right to lodge a complaint with a supervisory authority

✓

✓

The source of the personal data

✓

The details of whether individuals are under a statutory or contractual obligation to provide the personal data

✓

The details of the existence of automated decision-making, including profiling

When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data.

When you obtain personal data from a source other than the individual it relates to, you need to provide the individual with privacy information:

within a reasonable of period of obtaining the personal data and no later than one month;

if the data is used to communicate with the individual, at the latest, when the first communication takes place; or

if disclosure to someone else is envisaged, at the latest, when the data is disclosed.

You must actively provide privacy information to individuals. You can meet this requirement by putting the information on your website, but you must make individuals aware of it and give them an easy way to access it.

When collecting personal data from individuals, you do not need to provide them with any information that they already have.

When obtaining personal data from other sources, you do not need to provide individuals with privacy information if:

the individual already has the information;

providing the information to the individual would be impossible;

providing the information to the individual would involve a disproportionate effort;

providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing;

you are required by law to obtain or disclose the personal data; or

you are subject to an obligation of professional secrecy regulated by law that covers the personal data.

Cookie Consent Settings

About Cookies

Why we use cookies?

To make this site work properly, sometimes we place small data files called cookies on your device. This is a common practice for websites.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

There are 4 types of cookies that we use: Strictly Necessary, Performance, Functional and Advertising.

Please remember that if you delete your cookies, or use a different browser or device you will need to reset your cookie consent settings.

Strictly Necessary Cookies Always Active

These cookies are essential to use this website and its features, such as accessing secure areas of the website or using a shopping basket. They are not used for tracking or advertising purposes. We do not share this data. We use the strictly necessary cookies listed below:

Performance Cookies Active

These cookies collect information about how you use a website, such as which pages you visit most often or if you see error messages. These cookies do not collect information that identifies you. Information collected is aggregated and anonymized to improve how this website works. We use the performance cookies listed below:

Functional Cookies Active

These cookies allow this website to remember choices you make, such as your user name, language or your geographical region and provide personalized features. Also, they are used to remember your progress in important features of the website, such as your progress in a video so you can return to the same spot, and features such as changes you made to text size, fonts and other customizations. We use the functitonal cookies listed below:

Targeting Cookies Inactive

These cookies are used to deliver advertisments more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaigns. They remember that you have visited a website and this information is shared with other organisations such as advertisers. We use the advertising cookies listed below: